Complacency and incompetence are the biggest computer security threats, and Apple’s latest Mac security flaw seems to combine both of these. The flaw
Complacency and incompetence are the biggest computer security threats, and Apple’s latest Mac security flaw seems to combine both of these. The flaw means anyone with physical access to your Mac can get inside the machine and tinker with it.
What’s the problem?
The problem (which first got disclosed here) was first revealed in a Tweet by Lemi Orhan Ergin, who wrote:
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
You read that right.
Any Mac running macOS High Sierra is vulnerable to this problem. Anyone with access to your Mac can launch it, enter the word root as the User ID and hit return, while leaving the password field blank. You’ll be denied entry initially, but after a few tries you will get in.
Multiple people tested this successfully.
Just tested the apple root login bug. You can log in as root even after the machi was rebooted pic.twitter.com/fTHZ7nkcUp
— Amit Serper (@0xAmit) November 28, 2017
I urge you not to test it yourself, but suggest you take immediate steps to patch the problem as detailed below.
The problem is that once you have penetrated the Mac as a root “super-user” you are able to get inside System Preference to make other changes, install software, and access files inside other user accounts.
As Apple puts it:
“The user account named ”root” is a superuser with read and write privileges to more areas of the system, including files in other macOS user accounts.”
This is a monumental error.
It also seems completely avoidable – it’s not as if every hacker anywhere doesn’t use the word “root” in an attempt to penetrate security.
The only way Apple’s engineers might have improved on this (i.e. made it worse) is if they had used the password ‘123456’.
The existence of the problem is shameful. Why does it exist and who is responsible?
You can protect yourself
An Apple spokesman told me:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
When you read the document, you will learn that root is a superuser account that is disabled by default on most systems.
However, this flaw undermines that and lets you access a Mac as a root user. And the best way to protect yourself is to create a genuine root user account and set a password that you control in order to plug this flaw.
From Apple Support:
“Enable or disable the root user
- Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
- Click lock icon, then enter an administrator name and password.
- Click Login Options.
- Click Join (or Edit).
- Click Open Directory Utility.
- Click lock icon in the Directory Utility window, then enter an administrator name and password.
- From the menu bar in Directory Utility:
- Choose Edit > Enable Root User, then enter the password that you want to use for the root user.
- Or choose Edit > Disable Root User.
The bug does not affect previous versions of macOS, including Sierra, El Capitan or older.
The scale of the flaw was best expressed by Edward Snowden, who wrote:
“Imagine a locked door, but if you just keep trying the handle, it says “oh well” and lets you in without a key.”
I’m flabbergasted this flaw even exists. I see it as an absolute nadir for Apple security. The problem impacts millions of machines. I’ll be updating the Mac security guide here, but urge all High Sierra users to apply this fix immediately.
Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?
Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me there so I can let you know about new articles I publish and reports I find.